Jump to content

Is ESET blocking KB4058258 (Windows 10 16299.214)?


howardagoldberg

Recommended Posts

49 minutes ago, itman said:

We'll just have to wait another two days and then if folks don't receive their patch Tuesdays Win Updates and we'll know for sure there is an issue.

I went to the Windows Update Catalog web site and checked what is included in KB4058258:

So this update is actually a replacement for cumulative updates going back till 10/2017. This clearly indicates it is a "corrective" update targeted at certain installations MS has deemed problematic.

As far as the Adobe Flash critical security update, KB4056887, mentioned previously, I received it on 1/9/2018; the same day I received the MS Office updates.

FYI - if anyone hasn't figured this out yet, the current Win Update situation is a mess on the Microsoft-side due to numerous installation "hick ups" from the Meltdown/Spectre situation. So if one is looking "to point the finger" at someone in regards to Windows Update status, aim it at Microsoft.

@itman  ... There was a new Adobe Flash critical update issued last week. I too have the one from 1/9. There should also be one from around 2/6. That is what is raising up my Spidy senses that there is an issue here. Also, there was a servicing stack update that has not come through that was released within the past ten days. If it had only been the cumulative updates that had not come down, I would be agreeing with you 100%!

So, while I absolutely agree with you that something is up at Microsoft's end (in other words, this may not be exclusively at ESET's end), there does seem to be a correlation between being an ESET user and getting the updates -- and not just the .214 cumulative update.

I am going to try and block out part of Tuesday afternoon to test. If a cumulative, etc. update comes down as expected, great. If not, I will uninstall ESET on the two Win10 systems I have that are exhibiting the same behavior, both running the same version of ESET (just "antivirus"). Both systems have Office 2016 installed, one the "click to run" version, and one the MSI version. On both systems, the non-security Office updates came down as expected.

Still, if @Marcos is following along, I maintain it is in ESET's and the users of ESET's products best interest to confirm before Tuesday that this issue is not related to ESET at all. Because, the evidence points to some type of correlation, even if it is not ESET that did something "wrong." In other words, perhaps WU is not installing the update on systems with ESET intentionally for some reason! One way or the other, there does seem to be an issue.

Link to comment
Share on other sites

21 minutes ago, TomFace said:

Just another reason I did not upgrade to Win10....from my perspective, v10 has a lot of issues.<_<

@TomFace ... Actually, Win10 has presented very few issues for me overall. And Win7 support goes the way of the dodo bird in about 24 months. I have a Win7 system (actually still my primary system for the moment), and even after all this time, it too occasionally has "issues" that are not the result of user-stupid ;-). If you are going to use a computer, it is going to have bugs. Not happy about it, but, just part of the fun.

Link to comment
Share on other sites

1 hour ago, howardagoldberg said:

There was a new Adobe Flash critical update issued last week. I too have the one from 1/9. There should also be one from around 2/6.

I just checked the Windows Update Catalog in regards to Win 10 1709 updates. None have been issued since 1/31/2018:

Win_Update_Catalog.thumb.png.50e5796720071196719f158dd5796512.png

 

Link to comment
Share on other sites

8 minutes ago, itman said:

I just checked the Windows Update Catalog in regards to Win 10 1709 updates. None have been issued since 1/31/2018:

Win_Update_Catalog.thumb.png.50e5796720071196719f158dd5796512.png

 

@itman ... Note that there are no Flash updates listed here. So, Flash updates may not be included in this list, as they are not specific to 1709. So, the Flash update - which would not come through the same channel as Office updates - which was released this past week (at least for IE, Chrome, and Firefox) has not come down via WU. Also, I know that other users on 1709 have received a Flash update for Edge this past week. There *is* something amiss, and there *is* a connection to ESET. What that connection is, I am hoping @Marcos will dig deeper to find out!

Also note KB4074608 (https://support.microsoft.com/en-us/help/4074608/servicing-stack-update-for-windows-10-version-1709-january-30-2018), listed as a critical update. That update, the servicing stack update, also has not come down via WU (and was released on the same day as .214).

Edited by howardagoldberg
Link to comment
Share on other sites

2 hours ago, itman said:

We'll just have to wait another two days and then if folks don't receive their patch Tuesdays Win Updates and we'll know for sure there is an issue.

I went to the Windows Update Catalog web site and checked what is included in KB4058258:

So this update is actually a replacement for cumulative updates going back till 10/2017. This clearly indicates it is a "corrective" update targeted at certain installations MS has deemed problematic.

As far as the Adobe Flash critical security update, KB4056887, mentioned previously, I received it on 1/9/2018; the same day I received the MS Office updates.

FYI - if anyone hasn't figured this out yet, the current Win Update situation is a mess on the Microsoft-side due to numerous installation "hick ups" from the Meltdown/Spectre situation. So if one is looking "to point the finger" at someone in regards to Windows Update status, aim it at Microsoft.

@itman ... every cumulative update is a replacement for the previous update(s). That does not necessarily mean that it is "corrective" or only aimed "at certain installations." On the release notes page for 1709, there is no indication from Microsoft that .201 or .214 was only released to a sub-set of users. In the past, when an update has only been targeted to a subset of users, the release notes clearly indicated that fact

Link to comment
Share on other sites

12 minutes ago, howardagoldberg said:

Also note KB4074608

You have to manually download it from the Windows Update Catalog. Note what I underlined below:

Quote

Along with the 1709 cumulative update, we’re getting another “WaaSMedic” Remediation Shell, KB 4074608 — a Servicing Stack update released yesterday that, per @abbodi86 on AskWoody:

Fixes and resets update-related parts to their “supported” configuration. It restores registry settings, services statuses, schedule tasks, it clears out disk space, and launches UpdateAssistant.exe if installed. Mainly it’s meant to pave the way to receive the latest updates, whether quality updates, or feature update to latest Windows 10 version

It’s an MSI package not a regular update, doesn’t require a reboot. It has more than 12 releases so far.

[ To comment on this story, visit Computerworld's Facebook page. ]

He goes on to say:

Servicing Stack updates are bundled with cumulative updates in version 1709. You may notice that the 1709 SSU has a distinguished version (i.e. 16299.122.1.0), not the generic version like other updates before (i.e. 10.0.1.2).

Servicing Stack updates won’t be listed in Windows Update history, but you can find it in Installed Updates

https://www.computerworld.com/article/3252808/microsoft-windows/perfect-end-to-a-perfect-month-yet-another-win10-1709-cumulative-update-kb-4058258.html

Edited by itman
Link to comment
Share on other sites

1 minute ago, itman said:

@itman ... No, you do not need to manually install it. Read the release notes: https://support.microsoft.com/en-us/help/4074608/servicing-stack-update-for-windows-10-version-1709-january-30-2018. They clearly state that Method 1 is to install it via Windows Updates: "Method 1: Windows Update | This update will be downloaded and installed automatically."

Link to comment
Share on other sites

8 minutes ago, itman said:

Along with the 1709 cumulative update, we’re getting another “WaaSMedic” Remediation Shell, KB 4074608 — a Servicing Stack update released yesterday that, per @abbodi86 on AskWoody:

Fixes and resets update-related parts to their “supported” configuration. It restores registry settings, services statuses, schedule tasks, it clears out disk space, and launches UpdateAssistant.exe if installed. Mainly it’s meant to pave the way to receive the latest updates, whether quality updates, or feature update to latest Windows 10 version

It’s an MSI package not a regular update, doesn’t require a reboot. It has more than 12 releases so far.

[ To comment on this story, visit Computerworld's Facebook page. ]

He goes on to say:

Servicing Stack updates are bundled with cumulative updates in version 1709. You may notice that the 1709 SSU has a distinguished version (i.e. 16299.122.1.0), not the generic version like other updates before (i.e. 10.0.1.2).

Servicing Stack updates won’t be listed in Windows Update history, but you can find it in Installed Updates

@itman ... and to your point, it looks as if the lack of the servicing stack update can have an impact on whether future cumulative, etc. updates come down. It is also not listed in my "installed updates," so it simply has not been "seen" or installed by WU. Also, the link you provided for "He goes on to say ..." does not seem to have anything to do with this issue.

Edited by howardagoldberg
Link to comment
Share on other sites

  • ESET Moderators

Hello guys,

few moments ago we released Anti-stealth support module 1124 for pre-release users which allows latest MS security patches to be installed.

If you want to receive it set your product to receive pre-release updates and let us know.

The distribution should continue to general public users in upcoming days, if not issues will be found.

Regards, P.R.

Link to comment
Share on other sites

1 hour ago, Peter Randziak said:

Hello guys,

few moments ago we released Anti-stealth support module 1124 for pre-release users which allows latest MS security patches to be installed.

If you want to receive it set your product to receive pre-release updates and let us know.

The distribution should continue to general public users in upcoming days, if not issues will be found.

Regards, P.R.

@Peter Randziak @Marcos @itman @cyberhash 

Peter, thank you for following up and following through on this. Given the urgency of the issue, and with Patch Tuesday on the horizon tomorrow, is there any possibility of moving module 1124 to the normal release channel in an expedited manner? I do not necessarily want/need to receive pre-updates for other modules, but I do want to have Windows fully patched. Of course, I understand that 1124 needs to be tested in the field before going out to the entire ecosystem, but please advise on the time-lining of this. Is there a way of installing 1124 without shifting to the pre-release updates?

When I first posted the question regarding Windows Updates and ESET on Win10, it was more-or-less dismissed by ESET as it being highly unlikely that ESET could be involved in any way. The same was true when I posted about the certificate pop us issue over a year ago for a which a solution was finally offered by another user (https://forum.eset.com/topic/14563-fixed-certificate-pop-ups-an-application-on-this-computer-is-trying-to-communicate-over-a-channel-encrypted-with-an-untrusted-certificate/). My immediate concern is this - given the true urgency of the issue, the fact that it has been an issue since module 1123 was released (probably before the .201 cumulative update was issued), and the fact that my report was originally dismissed by ESET - 1) what was the issue with the module that resulted in Windows Update failing to pull down patches without so much as an error message, and 2) what is being done to prevent such an occurrence in the future?

I depend on ESET to protect my system. In this case, at a certain level, ESET was actually working against that goal.

With that said, again, I sincerely thank you for looking into this matter and pushing out a solution. I will be curious to hear back from others who test the 1124 module to see if that does in fact resolve the issue!

 

Edited by howardagoldberg
Link to comment
Share on other sites

1 hour ago, Peter Randziak said:

Hello guys,

few moments ago we released Anti-stealth support module 1124 for pre-release users which allows latest MS security patches to be installed.

If you want to receive it set your product to receive pre-release updates and let us know.

The distribution should continue to general public users in upcoming days, if not issues will be found.

Regards, P.R.

So ESET somehow do decide which MS updates gets installed unlike @Marcos said...

What is the reason for this module to do that? And does that module needs to be updated for every MS security update?

@howardagoldberg I am on pre-release and with this module update i got 2 new MS updates: KB4074595 and KB4058258

 

Edited by Daedalus
Link to comment
Share on other sites

  • ESET Moderators

Hello guys,

when it comes to the Anti-stealth 1124 release we understand the importance of the updates, but we do not want to get into more serious issues by releasing it without proper testing and feedback from the real world. The plan is to release it during this week, if everything will go as expected.

@howardagoldberg not sure what is your update method, but that is not an easy task. The files can be replaced manually on the system, but that is not a very user friendly was especially in larger deployments. In case you use a local mirror to update, you can manually modify it, but that is not a easy task too so I would not go for it,...

When it comes to the recent security updates, MS decided not push it to the machines with AV installed until the AV will signalize it is full compatible with it by setting a special reg value as the updates bring quite a serious changes under the hood and didn't want to cause trouble to customers, which showed to be a very wise decision,...

Regards, P.R.

Link to comment
Share on other sites

1 hour ago, Peter Randziak said:

Hello guys,

when it comes to the Anti-stealth 1124 release we understand the importance of the updates, but we do not want to get into more serious issues by releasing it without proper testing and feedback from the real world. The plan is to release it during this week, if everything will go as expected.

@howardagoldberg not sure what is your update method, but that is not an easy task. The files can be replaced manually on the system, but that is not a very user friendly was especially in larger deployments. In case you use a local mirror to update, you can manually modify it, but that is not a easy task too so I would not go for it,...

When it comes to the recent security updates, MS decided not push it to the machines with AV installed until the AV will signalize it is full compatible with it by setting a special reg value as the updates bring quite a serious changes under the hood and didn't want to cause trouble to customers, which showed to be a very wise decision,...

Regards, P.R.

@Peter Randziak Thank you for your prompt reply. I actually only have two Win10 machines on my network (small home office), so depending on the procedure involved, it would not necessarily be difficult for me to update just the Anti-Stealth module manually. Of course, I would need the file(s) and the instructions on how to accomplish this task.

I certainly do understand that proper testing is needed, and it is laudable that ESET is working to ensure no additional harm is done. However, if I do not receive tomorrow's cumulative update, which is going to include over a dozen security updates according to the Microsoft advsory, it means that I am 3 cumulative updates "behind" due to ESET's "protection" until 1124 is pushed out. Assuming no issues are found today, will the 1124 module be pushed out in time for Patch Tuesday at 1:00 p.m. Eastern tomorrow (02/13/2018)?

Regarding, "When it comes to the recent security updates, MS decided not push it to the machines with AV installed until the AV will signalize it is full compatible with it by setting a special reg value as the updates bring quite a serious changes under the hood and didn't want to cause trouble to customers, which showed to be a very wise decision,..."

ESET already provided that registry key in early January (https://support.eset.com/ca6643/), and I am on the .192 release of Windows 1709 which initially addressed Spectre/Meltdown. I have visually confirmed that the needed registry key is present. So, unless there is *another* registry key that was needed for .201, .204, and the Flash update (unlikely), the current situation has nothing to do with the registry key you are referring to.

The registry key you mentioned was part of the Antivirus and antispyware scanner module that was released in early January several days before the emergency Spectre/Meltdown patch for Windows was released by Microsoft. That Windows patch (.192 for 1709) came down without an issue. The current situation, to the best of my understanding, is not related to that at all, especially since you are saying that the affected module is the Anti-stealth module.

I cannot underestimate the amount of damage that has been done here, at least for me, regarding the trust I have put into ESET. First, I was told by another ESET staff member that I was wrong, and now it seems two separate issues are being conflated. Further, given that is seems likely that all customers not on pre-release updates have not received Windows 10 Updates in nearly a month (at least for 1709), it would be reassuring to see a support article published by ESET acknowledging the issue and detailing the resolution. This was a major bug; for the sake of customer trust, this issue should not be downplayed.

Therefore, again I ask: 1) what was the issue with the module that resulted in Windows Update failing to pull down *all* (non-Office) patches (including Flash updates) without so much as an error message, and 2) what is being done to prevent such an occurrence in the future? Please advise. Thank you.

As an addendum: My Windows 7 system does not seem to be affected by this issue, as updates have been coming down as expected. I have not tested my Win8.1 machine (it is used rarely). Both my Windows 10 machines are on 1709, so I cannot confirm if the issue is present in Windows 10 1703 and earlier releases.

Edited by howardagoldberg
Link to comment
Share on other sites

1 hour ago, Peter Randziak said:

When it comes to the recent security updates, MS decided not push it to the machines with AV installed until the AV will signalize it is full compatible with it by setting a special reg value as the updates bring quite a serious changes under the hood and didn't want to cause trouble to customers, which showed to be a very wise decision,...

Does this mean MS has again revised values within the below reg. key or created another one?

Quote

Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD”
Data="0x00000000”

 

Link to comment
Share on other sites

4 minutes ago, itman said:

Does this mean MS has again revised values within the below reg. key or created another one?

 

@itman @Peter Randziak That was exactly my point above. There has been nothing from Microsoft indicating that a new registry key was needed, so the current issue does not have anything to do with the earlier Antivirus/antistealth module update that flipped the registry key and allowed for the .192 update on 1709 to be installed.

Edited by howardagoldberg
Link to comment
Share on other sites

@Peter Randziak @Marcos ... Likely having nothing to do with anything being discussed here, but just in case it matters: ESET Antivirus just updated itself from version 11.0.159.0 to 11.0.159.9 on the two systems (Win10 1709 and Win7) I am currently sitting in front of. The anti-stealth module is still at 1123, and WU on Win10 is still not pulling anything. Should I assume this product update has nothing to do with the discussion in this thread?

Edited by howardagoldberg
Link to comment
Share on other sites

I pulled KB4074608, KB4074595, and KB4056258 for Win 10 x64 1709 from Windows Update Catalog and installed them manually.

Would greatly appreciate Eset post a "heads up" announcement in the forum when there are issues with auto Win updating because of Eset compatibility. Then one can do the updating manually.

My personally opinion is this is going to be an ongoing issue. It is obvious it is Microsoft's "master plan" to harass third party AV vendors by tactics currently being employed to make Windows Defender a more attractive alternative to the average user.

Link to comment
Share on other sites

23 minutes ago, itman said:

I pulled KB4074608, KB4074595, and KB4056258 for Win 10 x64 1709 from Windows Update Catalog and installed them manually.

Would greatly appreciate Eset post a "heads up" announcement in the forum when there are issues with auto Win updating because of Eset compatibility. Then one can do the updating manually.

My personally opinion is this is going to be an ongoing issue. It is obvious it is Microsoft's "master plan" to harass third party AV vendors by tactics currently being employed to make Windows Defender a more attractive alternative to the average user.

@itman ... While there may indeed have been some conflict/miscommunication between ESET and Microsoft, I do not think that Mircosoft has any intention to harass third party vendors by risking customer safety. That would not be good for Microsoft, even if their intentions are not 100% benevolent.

It is highly unlikely Microsoft made some major change to how WU on win10 functions, that would affect AV vendors, that they did *not* announce, and left 3rd party AV providers unknowingly unproductive of their customers. More likely, a bug was introduced into the Anti-Stealth module by ESET. Bugs happen. Software is not perfect. It is fair to say this past month has been particularly challenging on the security front for everyone involved.

That said, security software providers have an extra-added obligation to make sure that the software they provide "does no harm," and to communicate transparently with their customers when something does go wrong. If MS is responsible, let ESET say so. Otherwise, ESET should publish a support article making their users aware of what happened and why, and what is being done to remediate the situation and prevent it from occurring again.

Most users have WU set to automatically update, and most users would not know where to begin in terms of updating manually, and keeping track of what updates are available and applicable. 

Edited by howardagoldberg
Link to comment
Share on other sites

  • Most Valued Members

It's been a very bad end & start of year with regards to windows updates and security in general. Too many out of schedule updates, some of which rendered machines useless and then subsequently pulled by MS. Then patches released by MS to replace the buggy ones were also found to be having issues and likewise pulled.

Then add to that mix , some people that were installing updates manually by downloading the corresponding KB's (as they could not see them via WU) were also having problems of varying degree's of severity.

Plus one of my pet hates since moving over to win 10 with regards to updates .......... is the "still to be explained" by MS,  delay of updates that can be 3 or 4 days or more after release. If Microsoft could address this issue as a starting point, then at least everyone would know where to start if they never received the patches within say a 24hr period. This leaves people everywhere searching for what "might" be the reason for not receiving their update/s.

Then people end up manually searching and installing KB's , not knowing they come with issues and making matters worse. Or just as bad , spend hours/days looking for a resolution to something to no avail.

I sort of feel kind of stupid personally, where a 1 second export of settings > uninstall my Eset product > reboot and check windows update could have confirmed where my issue was stemming from. But after checking all firewall settings and traffic to and from windows update servers among other things, i never suspected this to be the issue. Plus im limited with time.....

Bugs appear in all software from time to time. At least with the input from all the people on this forum and the matter being resolved quickly by Eset, we all now have our missing WU problem fixed :)

 

Link to comment
Share on other sites

Another point of discussion is why Eset's Anti-Stealth option would be a factor at all for any recent x64 Win OS ver.. That option is Eset's anti-rootkit mitigation. Due to x64 kernel patch protection i.e. KPP, rootkits on x64 OS versions are for all practical purposes are non-existent. I use NVT's SSDT utility to verify no kernel hooks exist including Eset's.

Link to comment
Share on other sites

@Marcos @Peter Randziak This morning upon booting my system ... Anti-Stealth module 1124 came down via the regular update channel, and Windows did pull the latest Flash update and the .214 cumulative update. Unless there is any issue with today's "Patch Tuesday" updates, this will likely be my last post in this thread :) That said, I still think it would be a very good idea for ESET to post a support article regarding this incident, as I suggested above.

Link to comment
Share on other sites

  • ESET Moderators

Hello guys,

sorry for the misinformation so I will try to sum it up, it seems we had not full / correct information on this as well.

Antivirus and anti-spyware module 1533.3 (released 2018-01-14 at around 7:45 CET) set the registry key needed to signalize readiness for MS January security patches (as we had no issues with them (for the x64 architecture as those were available only for this bitness)), it set it for all supported Windows systems. So Win10 RS3 was updated to 16299.192

Later MS prepared the fixes for x86 platform as well and MS decided that another registry key has to be set to signalize AV readiness for this update (for the x86 platform), this one should update to Win10 tp 16299.201

This time we needed to make a fixes to become fully compatible so Anti-stealth 1124 set this registry flag to signalize Windows that ESET AV is ready for the update.

There happened some miscommunication and it seems that the second registry flag (set by Anti-stealth 1124) is required to receive the updates.

The Anti-stealth support module 1124 has been released for general public today at around 10:30 CET so it should be sorted after next update.

 

Thank you for bringing this topic and for detailed observations and analysis of the behavior.

 @howardagoldberg I may assure you we do our best to protect our users.

@itman Anti-stealth is there not only for detection rootkits, it has various supporting features.

Regards, P.R.

Link to comment
Share on other sites

1 hour ago, Peter Randziak said:

Hello guys,

sorry for the misinformation so I will try to sum it up, it seems we had not full / correct information on this as well.

Antivirus and anti-spyware module 1533.3 (released 2018-01-14 at around 7:45 CET) set the registry key needed to signalize readiness for MS January security patches (as we had no issues with them (for the x64 architecture as those were available only for this bitness)), it set it for all supported Windows systems. So Win10 RS3 was updated to 16299.192

Later MS prepared the fixes for x86 platform as well and MS decided that another registry key has to be set to signalize AV readiness for this update (for the x86 platform), this one should update to Win10 tp 16299.201

This time we needed to make a fixes to become fully compatible so Anti-stealth 1124 set this registry flag to signalize Windows that ESET AV is ready for the update.

There happened some miscommunication and it seems that the second registry flag (set by Anti-stealth 1124) is required to receive the updates.

The Anti-stealth support module 1124 has been released for general public today at around 10:30 CET so it should be sorted after next update.

 

Thank you for bringing this topic and for detailed observations and analysis of the behavior.

 @howardagoldberg I may assure you we do our best to protect our users.

@itman Anti-stealth is there not only for detection rootkits, it has various supporting features.

Regards, P.R.

@Peter Randziak Thank you for this update, and the explanatory information. I am surprised by the fact that yet another registry key had to be set for the .201 and future updates. I had not seen anything about that via Microsoft or the regular channels I monitor/participate in (such as the patch-management listserv). Out of pure curiosity, why was the first registry key set through the anti-virus engine module, while the next key needed to be set through the anti-stealth module?

Are you aware of any issues we should anticipate with today's updates (I assume there will be another cumulative update along with other security updates for Office products)?

@Peter Randziak @Marcos Was yesterday's program update to 11.0.159.9 related to these issues at all? Every system I have ESET on has been updated from 11.0.159.0 to 11.0.159.9 via the regular update channel. I thought this was interesting, as such updates do not generally contain changes, except to have the latest modules as part of the install package for new installs.

Edited by howardagoldberg
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...